References — Web3 Security Mastery
Curated primary sources organized by topic. Prefer primary over secondary. [verify] marks items that may have changed since 2026-05. Date column = last verified or publication date. “Current” / “Historical” indicates whether the resource still reflects best practice.
How to use this list
- Reading priority: items in bold are required for the topic; the rest are deep-dive.
- Primary source = official spec, official docs, audit firm publication, or original post-mortem from the affected team.
- Secondary source = community summary; use only when primary is unavailable.
- Verify-at-study-time: tooling versions, EIP statuses, and L2 implementation details move fast. Always cross-check with the project’s GitHub
mainbranch.
1. Official Documentation (always start here)
| Source | URL | Status | Why credible |
|---|---|---|---|
| Ethereum.org Developer Docs | https://ethereum.org/en/developers/docs/ | Current | Official Ethereum Foundation educational material |
| Solidity Documentation | https://docs.soliditylang.org/ | Current | Official language reference (check version selector for your target compiler) |
| Solidity Security Considerations | https://docs.soliditylang.org/en/latest/security-considerations.html | Current | Compiler maintainers’ own list of foot-guns |
| Ethereum Yellow Paper | https://ethereum.github.io/yellowpaper/paper.pdf | Current (revised) | Formal specification of EVM semantics; dense but authoritative |
| Ethereum Execution Specs | https://github.com/ethereum/execution-specs | Current | Python reference implementation of execution layer |
| EIPs Index | https://eips.ethereum.org/ | Current | Canonical EIP registry; check status (Draft/Review/Final/Stagnant) |
| EVM Opcodes Reference | https://www.evm.codes/ | Current | Interactive opcode + gas reference; community-maintained but accurate |
| OpenZeppelin Contracts | https://docs.openzeppelin.com/contracts | Current | De-facto secure-implementation library |
2. Audit Firm Publications
Trail of Bits
| Resource | URL | Notes |
|---|---|---|
| Building Secure Contracts | https://github.com/crytic/building-secure-contracts | Slither/Echidna-centric secure-dev guide; high-quality |
| Trail of Bits blog | https://blog.trailofbits.com/ | Filter by tag/blockchain |
| Publications repo | https://github.com/trailofbits/publications | Public audit reports |
| Algo VM Security guide | https://github.com/crytic/algo-vm-security | Non-EVM angle |
ConsenSys Diligence
| Resource | URL | Notes |
|---|---|---|
| Smart Contract Best Practices | https://consensys.github.io/smart-contract-best-practices/ | Long-standing community resource |
| Diligence audits | https://consensys.io/diligence/audits | Public audit catalog |
| Diligence research | https://consensys.io/diligence/research | Tooling and methodology posts |
OpenZeppelin
| Resource | URL | Notes |
|---|---|---|
| OpenZeppelin blog (Security) | https://blog.openzeppelin.com/security-audits | Audit summaries; deep technical write-ups |
| Ethernaut | https://ethernaut.openzeppelin.com/ | Browser-based Solidity wargame; required Week 5 lab |
Spearbit / Cantina
| Resource | URL | Notes |
|---|---|---|
| Spearbit portfolio | https://spearbit.com/portfolio | Public audit reports |
| Cantina platform | https://cantina.xyz/ | Audit competitions + private audits |
ChainSecurity / Sigma Prime / Halborn / Zellic / Macro / Asymmetric / Code4rena Zenith
Each maintains a public audit portfolio. Check their site directly; report quality varies, but their flagship engagements (e.g., ChainSecurity on Lido, Sigma Prime on Lighthouse) are gold standard.
3. Standards & EIPs (the ones auditors must know cold)
Core
| EIP | Title | Notes |
|---|---|---|
| EIP-20 | ERC-20 Token Standard | Original; transfer return-value optional in some implementations — major footgun |
| EIP-721 | NFT Standard | Safe-transfer callback hazard |
| EIP-1155 | Multi-Token Standard | Callback hazard in batched transfers |
| EIP-4626 | Tokenized Vault | Inflation attack; share/asset rounding direction |
| EIP-777 | Token w/ Send-Hooks | Reentrancy vector; mostly historical, but used in some legacy tokens |
| EIP-2612 | permit() for ERC-20 | Signature replay angle |
| Permit2 | Uniswap unified approval | Not an EIP but a deployed contract; widely integrated |
Infrastructure
| EIP | Title | Notes |
|---|---|---|
| EIP-1559 | Fee market | Base fee + priority fee; affects MEV economics |
| EIP-4844 | Proto-Danksharding (blobs) | L2 data-availability cost dropper |
| EIP-1967 | Proxy storage slots | Canonical slots for impl/admin/beacon |
| EIP-1822 | UUPS proxy | Upgrade auth in impl; common audit subject |
| EIP-2535 | Diamond standard | Multi-facet proxy; storage hazards |
| EIP-191 | Signed data standard | Prefix to prevent transaction-collision |
| EIP-712 | Typed structured data signing | Replay protection via domain separator |
| EIP-2930 | Access lists | Optimization, mild audit relevance |
| EIP-3074 / EIP-7702 | EOA → smart-account migration | EIP-7702 in particular reshapes signing trust (post-Pectra) [verify status] |
| ERC-4337 | Account Abstraction | UserOp pipeline; not a hard fork |
| EIP-6492 | Counterfactual signature verification | AA-friendly off-chain sig check |
L2 / Rollup
| EIP / Spec | Title | Notes |
|---|---|---|
| OP Stack docs | https://docs.optimism.io/ | Optimistic rollup reference |
| Arbitrum Nitro docs | https://docs.arbitrum.io/ | Nitro architecture, fraud proofs |
| zkSync Era docs | https://docs.zksync.io/ | Native AA |
| Starknet docs | https://docs.starknet.io/ | Cairo VM |
| L2Beat | https://l2beat.com/ | Trust assumption tracking |
4. Exploit Post-Mortems & Incident Aggregators
| Source | URL | Notes |
|---|---|---|
| Rekt News | https://rekt.news/ | Highest-quality narrative coverage of incidents; cite the protocol’s own post-mortem for technical details |
| Immunefi blog & writeups | https://medium.com/immunefi | Bug-bounty disclosures, often with PoC |
| SlowMist Hacked DB | https://hacked.slowmist.io/ | Incident database; cross-reference |
| DeFiLlama Hacks | https://defillama.com/hacks | Aggregated loss tracker; numbers are best-effort |
| PeckShield Twitter / blog | https://x.com/peckshield | Early on-chain incident detection |
| Solodit | https://solodit.cyfrin.io/ | Aggregated audit findings from competitive audits; searchable |
Notable individual post-mortems (linked in case studies)
- The DAO (2016): Phil Daian’s original analysis — https://hackingdistributed.com/2016/06/18/analysis-of-the-dao-exploit/
- Parity multisig (2017): Parity post-mortem —
https://www.parity.io/blog/security-alert-parity-wallet/(historical) - bZx (2020): PeckShield analysis (Feb 2020)
- Wormhole (2022): Wormhole official + Certus One write-up
- Ronin (2022): Sky Mavis official statement (March 2022)
- Nomad (2022): Nomad official + samczsun thread
- Euler (2023): Euler Labs post-mortem + Omniscia/Sherlock follow-up audits
- Curve Vyper (2023): Vyper team statement + Curve incident channel
- Penpie (2024): Pendle/Penpie post-mortem
Verification rule: when citing a loss amount in an audit write-up, link to the protocol’s own statement or the block explorer transaction set, not aggregator estimates. Numbers from aggregators are approximations.
5. Competitive Audit Platforms (current state of practice)
| Platform | URL | Format | Use for |
|---|---|---|---|
| Code4rena | https://code4rena.com/ | Public competitive | Reading judging decisions, finding write-ups |
| Sherlock | https://www.sherlock.xyz/ | Hybrid competitive + lead auditor | Coverage + judging policy clarity |
| Cantina | https://cantina.xyz/ | Competitive + private | Larger competitions, top-of-leaderboard write-ups |
| Hats Finance | https://hats.finance/ | Bug bounty + audit | Active bounties |
| Immunefi | https://immunefi.com/ | Bug bounty | Largest bounty platform; severity rubric is industry reference |
Reading judged findings on these platforms — especially the disagreements between auditors and judges — is one of the fastest ways to develop severity judgment.
6. Tooling Documentation
| Tool | Type | Docs | Notes |
|---|---|---|---|
| Foundry (forge/cast/anvil/chisel) | Dev + test framework | https://book.getfoundry.sh/ | Industry default. Mainnet fork + cheatcodes + invariant fuzzing built-in |
| Hardhat | Dev framework | https://hardhat.org/docs | Older but still used; TypeScript scripts ecosystem |
| Slither | Static analyzer | https://github.com/crytic/slither | Run first on every codebase. Detector list at docs/detectors/ |
| Echidna | Property-based fuzzer | https://github.com/crytic/echidna | Stateful Haskell-based fuzzer |
| Medusa | Property-based fuzzer | https://github.com/crytic/medusa | Go-based, parallel fuzzing, geth-fork |
| Mythril | Symbolic executor | https://github.com/Consensys/mythril | Older; useful for specific patterns |
| Manticore | Symbolic executor | https://github.com/trailofbits/manticore | [verify maintenance status] — primarily research / archival |
| Certora Prover | Formal verification | https://www.certora.com/ | CVL spec language; commercial but free tier exists |
| Halmos | Symbolic-test runner | https://github.com/a16z/halmos | Foundry-compatible, BMC-style; lightweight formal |
| Tenderly | Tx simulator + monitoring | https://tenderly.co/ | Best transaction debugger |
| Etherscan / block explorers | Tx + contract explorer | https://etherscan.io/ | Verified-source browsing, decoded calls |
| Phalcon / Blocksec | Tx tracer | https://app.blocksec.com/explorer/tx | Excellent for tracing exploit transactions |
| 4byte directory | Selector lookup | https://www.4byte.directory/ | Function selectors → signatures |
| Forta | Real-time monitor | https://forta.org/ | Detection bots for incidents |
| DethCrypto contract index | Contract index | https://github.com/dethcrypto/ethereum-types | Type-safe interaction |
Non-EVM tooling
| Tool | Chain | Docs |
|---|---|---|
| Anchor | Solana | https://www.anchor-lang.com/ |
| Solana Program Library | Solana | https://spl.solana.com/ |
| CosmWasm Book | Cosmos | https://book.cosmwasm.com/ |
| Move Prover | Aptos/Sui | https://aptos.dev/move/prover/move-prover/ |
| Sui Move docs | Sui | https://docs.sui.io/concepts/sui-move-concepts |
| Aptos Move docs | Aptos | https://aptos.dev/move/move-on-aptos |
7. Research Papers & Books
Books
| Title | Author | Notes |
|---|---|---|
| Mastering Ethereum | Andreas M. Antonopoulos & Gavin Wood | Foundational. Free online: https://github.com/ethereumbook/ethereumbook |
| Programming Bitcoin | Jimmy Song | Crypto/curve math foundations |
| Real-World Cryptography | David Wong | Most accessible serious-crypto book |
| Bitcoin: A Peer-to-Peer Electronic Cash System | Satoshi Nakamoto | The 9-page paper that started it; read at least once |
Papers (selected)
| Paper | Why it matters |
|---|---|
| Flash Boys 2.0 (Daian et al., 2019) — https://arxiv.org/abs/1904.05234 | Foundational MEV paper |
| SoK: Decentralized Finance (DeFi) (Werner et al., 2021) — https://arxiv.org/abs/2101.08778 | DeFi taxonomy reference |
| Quantifying Blockchain Extractable Value (Qin, Zhou, Gervais, 2021) | MEV quantification |
| An Empirical Study of Smart Contract Vulnerabilities — various authors | Empirical bug-class distribution |
| A Survey of Smart Contract Formal Specification and Verification — Tolmach et al. | Formal methods landscape |
8. Continuing-Education Feeds
| Source | URL | Cadence |
|---|---|---|
| Paradigm research | https://www.paradigm.xyz/writing | Irregular; high-signal |
| a16z crypto research | https://a16zcrypto.com/research/ | Irregular |
| Flashbots research | https://writings.flashbots.net/ | MEV / PBS |
| Vitalik’s blog | https://vitalik.eth.limo/ | Roadmap thinking |
| Samczsun | https://samczsun.com/ | Exploit threads; required reading |
| Trust Security blog | https://trust-security.xyz/blog | Audit-firm-style explainers |
| Privacy & Scaling Explorations (PSE) | https://pse.dev/ | ZK applied research |
9. Communities
| Place | What |
|---|---|
| r/ethdev | Discussion; mixed quality |
| Ethereum Magicians (https://ethereum-magicians.org/) | EIP discussion at proposal stage |
| Ethereum Research forum (https://ethresear.ch/) | Protocol research |
| Code4rena Discord | Competitive audit community |
| Secureum bootcamp materials | Free curriculum on smart contract security |
10. Quality / Currency Tagging Convention
When this course cites a source, the convention is:
(Author/Org, YYYY-MM, [Current|Partial|Historical])
- Current: matches present best practice; safe to apply.
- Partial: still useful but some recommendations outdated; flag the parts that are.
- Historical: was best practice at time of writing; do not apply without verification.
Examples in lesson notes:
- “OpenZeppelin AccessControl docs (OZ, 2025, Current)”
- “SWC Registry (SmartContractSecurity, 2020, Partial — many SWC entries are still valid but the project is not actively updated; cross-check with current detector docs)”
- “ConsenSys SCBP (ConsenSys, 2021, Partial — reentrancy / external call sections current; randomness section outdated, use VRF guidance instead)”
Last updated: 2026-05-16 See also: MOC-Web3-Security-Mastery · Roadmap